Patch time! NVIDIA fixes kernel driver holes on Windows and Linux

By Paul Ducklin

The latest security patches from NVIDIA, the maker of high-end graphics cards, are out.

Both Windows and Linux are affected.

NVIDIA hasn’t yet given out any real details about the bugs, but 12 different CVE-tagged flaws have been fixed, numbered sequentially from CVE-2020-5962 to CVE-2020-5973.

As far as we can tell, none of the bugs can be triggered remotely, so they don’t count as RCEs, or remote code execution holes, by means of which crooks could directly hack into your laptop or server over the internet.

However, as is very common with security bugs in kernel-land, they could let crooks carry out what’s known as information disclosure or elevation of privilege attacks.

Given that the kernel contains information about the entire system, including details such as which processes are allowed to access what memory locations, being able to fiddle around inside the kernel is usually a privilege reserved for top-level sysadmins only.

Kernel bugs that allow regular users to peek into the kernel’s protected memory areas are therefore dangerous because they can often be exploited by criminals to grant themselves permanent administrator powers without needing to know any administrator passwords.

Read more at https://nakedsecurity.sophos.com/2020/06/25/patch-time-nvidia-fixes-kernel-driver-holes-on-windows-and-linux/

Twitter apologizes for leaking businesses’ financial data

By Lisa Vaas

Twitter apologized on Tuesday for sticking business clients’ billing information into browser cache – a spot where the uninvited could have had a peek, regardless of not having the right to see it.

In an email to its clients, Twitter said it was “possible” that others could have accessed the sensitive information, which included email addresses, phone numbers and the last four digits of clients’ credit card numbers. Any and all of that data could leave businesses vulnerable to phishing campaigns and business email compromise (BEC) – a crime that the FBI says is getting pulled off by increasingly sophisticated operators who’ve grown fond of vacuuming out payrolls.

Mind you, Twitter hasn’t come across evidence that billing information was, in fact, compromised.

On 20 May, Twitter updated the instructions that Twitter sends to browser cache, thereby putting a stopper in the leak. The two affected platforms are ads.twitter.com or analytics.twitter.co. If you viewed your billing information on either platform before 20 May, your billing information may have gotten stuck in browser cache.

Read more at https://nakedsecurity.sophos.com/2020/06/25/twitter-apologizes-for-leaking-businesses-financial-data/

Glupteba – the malware that gets secret messages from the Bitcoin blockchain

By Paul Ducklin

Here’s a SophosLabs technical paper that should tick all your jargon boxes!

Our experts have deconstructed a strain of malware called Glupteba that uses just about every cybercrime trick you’ve heard of, and probably several more besides.

Like a lot of malware these days. Glupteba is what’s known a zombie or bot (short for software robot) that can be controlled from afar by the crooks who wrote it.

But it’s more than just a remote control tool for criminals, because Glupteba also includes a range of components that let it serve as all of the following:

Read more at https://nakedsecurity.sophos.com/2020/06/24/glupteba-the-bot-that-gets-secret-messages-from-the-bitcoin-blockchain/

iOS 14, macOS Big Sur, Safari to give us ‘No, thanks!’ option for ad tracking

By Lisa Vaas

As is typical for Apple’s developer conferences, on Monday it started hyping the privacy and security goodies it’s got in store for us in a few months.

During the pre-taped keynote at Apple’s Worldwide Developers Conference (WWDC), the company promised to pump up data protection even more with gobs of new features in its upcoming iOS 14, macOS Big Sur, and Safari releases.

(Here’s the complete keynote transcript, courtesy of Mac Rumors, if you don’t have a spare 1:48:51 to listen to the opening for Apple’s first-ever, all-online WWDC.)

Pretty please stop the ad tracking

The big ones include the option for users to decline apps’ ad tracking. More specifically, we’ll be given the option to “Allow Tracking” or “Ask App Not to Track.” As Wired’s Lily Hay Newman points out, “asking” sounds a lot more dubious than “blocking.” But Apple makes it decisive in its notes to developers, where it says that the permission is a must-have for developers, not a nice-if-you’re-in-the-mood.

Read more at https://nakedsecurity.sophos.com/2020/06/24/ios-14-macos-big-sur-safari-to-give-us-no-thanks-option-for-ad-tracking/

United States wants HTTPS for all government sites, all the time

By Paul Ducklin

The US government just announced its plans for HTTPS on all dot-gov sites.

HTTPS, of course, is short for for “secure HTTP”, and it’s the system that puts the padlock in your browser’s address bar.

Actually, the government is going one step further than that.

As well as saying all dot-gov sites should be available over HTTPS, the government wants to get to the point that all of its web servers are publicly committed to use HTTPS by default.

That paves the way to retiring HTTP altogether and preventing web users from making unencrypted connection to government sites at all.

Read more at https://nakedsecurity.sophos.com/2020/06/23/united-states-wants-https-for-all-government-sites-all-the-time/

‘BlueLeaks’ exposes sensitive files from hundreds of police departments

By Lisa Vaas

DDoSecret – a journalist collective known as a more transparent alternative to Wikileaks – published hundreds of thousands of potentially sensitive files from law enforcement, totaling nearly 270 gigabytes, on Juneteenth.

That date – 19 June – is a holiday that celebrates the emancipation of those who were enslaved in the US. There’s currently a push to make the date into a national holiday – a movement bolstered by the nationwide Black Lives Matter (BLM) protests.

DDoSecrets, which refers to itself as a “transparency collective,” has dubbed the release BlueLeaks.

On Friday, DDoSecrets said on Twitter that the BlueLeaks archive indexes “ten years of data from over 200 police departments, fusion centers and other law enforcement training and support resources”, including “police and FBI reports, bulletins, guides and more.”

Fusion Centers are state-owned and operated entities that gather and disseminate law enforcement and public safety information between state, local, tribal and territorial, federal and private sector partners.

DDoSecrets published the data in a publicly accessible, searchable portal that says it contains more than 1 million files, such as scanned documents, videos, emails, audio files, and more.

Read more at https://nakedsecurity.sophos.com/2020/06/23/blueleaks-exposes-sensitive-files-from-hundreds-of-police-departments/